Jimeng Video Generator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: jimeng-video Version: 2.0.0 The OpenClaw skill 'jimeng-video' is designed to interact with the Volcengine Dreamina AI video generation API. The `SKILL.md` and `README.md` files clearly document its purpose, required API credentials (`VOLCENGINE_ACCESS_KEY_ID`, `VOLCENGINE_SECRET_ACCESS_KEY` from `~/.openclaw/.credentials/volcengine-dreamina.env`), and provide `curl` examples for API interaction with the legitimate Volcengine domain `https://ark.cn-beijing.volces.com`. There is no evidence of prompt injection attempts to manipulate the agent into unauthorized actions, data exfiltration to malicious endpoints, persistence mechanisms, or any other indicators of intentional harmful behavior. The skill's functionality is aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could try to execute a missing or unreviewed local binary, potentially with access to the Volcengine credentials documented by the skill.
The reviewed artifact set says there is no install spec and no code files, but the README claims an installed local executable and tells users to run it. Any such executable would be outside the reviewed artifacts.
## 安装 已自动安装,无需额外操作。 ... ~/.openclaw/skills/jimeng-video/jimeng-video generate
Ship the CLI source or binary in the package, add a clear install spec and provenance, declare the required binary, or remove the CLI workflow and keep the skill as documented direct API instructions.
These credentials may authorize billable cloud API actions if used by the skill or an external CLI.
The skill requires Volcengine cloud API credentials, which is expected for video generation, but the registry metadata declares no required environment variables or primary credential.
在 `~/.openclaw/.credentials/volcengine-dreamina.env` 中配置: VOLCENGINE_ACCESS_KEY_ID=your-access-key-id VOLCENGINE_SECRET_ACCESS_KEY=your-secret-key
Use a least-privilege Volcengine key limited to the needed video-generation service, declare the credential requirement in metadata, and rotate the key if it is exposed.
Accidental or overly broad batch prompts could create many videos and consume paid API quota.
Bulk generation is part of the stated video-creation purpose, but it can submit multiple provider jobs and may incur costs.
- **⚡ 批量生成**:支持一次性生成多个视频 ... jimeng-video batch \ --file prompts.txt \ --output-dir ./videos/
Confirm batch size, prompt file contents, output location, and expected cost before running batch generation.
Text prompts, images, and generated video task data may be processed by the external provider.
The skill discloses that prompts and uploaded images are sent to Volcengine's Ark API. This is purpose-aligned, but it is still an external provider data flow.
- **🎵 图生音视频**:上传图片,生成带声音的动态视频 ... curl -X POST "https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks"
Do not upload private, confidential, or rights-restricted media unless you are comfortable with Volcengine processing it under its terms.